Viewing a single comment thread. View all comments

celebratedrecluse OP wrote

Reply to comment by engi in signal.png by celebratedrecluse

Tox is experimental, has security bugs, doesn't have an active enough development team imho. XMPP is the standard for folks, but as i understand it doesn't have the features like calling/videochat etc that signal does, nor does it have the same ease of setup & use for the average user.

Which brings me to my main point. the problem is that signal has, by their design choices (ease of use, outsourcing user identity creation to corporate PSTN networks, etc), become the biggest filter bubble for the opsec-minded subpopulation. Due to their anti-federated design, this filter bubble excludes and discourages anyone using other privacy protection systems for the niche that signal fills.

Very convenient for someone who wanted to concentrate their attacks on this subpopulation, that Signal has these competitive policies built right into the network concept, and has centralized most targets into a single node. Makes it very difficult for others to compete. Combined with the Whats App founder pumping 50 million US dollars into Signal-- which was literally obtained from their sale of Whats App to FB, they even advertised this-- there's basically no hope for creating a comprehensively secure and widespread private communication system for privacy-concerned people. Signal is likely the best we will get for a long time, not because technology prohibits the development of something more robust, but because market dynamics are shaping this intentionally into reality against the technological advancement being made piecemeal, disproportionately by insurgent and explicitly political FOSS developers and always without the scale of financial support that the surveillance apparatus does for marketing & development.

The broad Fourteen Eyes strategy is to make all-- or, functionally, >95%-- of communications reviewable by the intelligence agencies. They want this in the long term in order to develop machine learning algorithms for processing the data with even less human labor time, maximizing their returns on investment.

However, in the short term it provides avenues for which to identify threats and begin investigations, even if the initial leads aren't included in the evidence produced during the criminal proceedings. This is called Parallel Construction and every person who might be targeted by the state should understand this concept.

The way they accomplish these ends are by not only compromising all communications, but compromising communications and infosec at multiple layers. Backdoors in individual applications, end user operating systems, server OSes, network routing embedded devices, the firmware of important components, and ultimately even specially designed hardware bugs deployed on the most evasive and interesting targets.

The privatization of the network infrastructure helps the state as well, by creating a black box of information and a slew of ways that the government can obtain information from private companies and use them as a bulkwark against public understanding and opposition to what is fundamentally both a capitalist and a statist project-- the surveillance of the internet.

Finally, there's yet another set of layers: the compromising of enough nodes on decentralized federated structures such as tor through the use of their basically unlimited financial resources, and the running of honeypot VPNs/proxies or compromising the more legit ones through secret legal proceedings.

So understand that everything is broken, and realize that engaging in basic security culture that isn't technologically dependent is probably the best strategy for keeping you and your community safe from this type of surveillance in the short term.

3

engi wrote

XMPP is the standard for folks, but as i understand it doesn't have the features like calling/videochat etc that signal does

it does, it's called jingle

nor does it have the same ease of setup & use for the average user

I see this repeated often, never with any examples

Very convenient for someone who wanted to concentrate their attacks on this subpopulation

when I'm feeling more conspiracy minded I'll think moxie is on the payroll of some three letter org

everything is broken

acab - all computers are broken

2

celebratedrecluse OP wrote

it does, it's called jingle

Cool, I'll check it out

I see this repeated often, never with any examples

Well, for most people Signal sets up with a verification text and you're good to go. No troubleshooting or any other issues. Matrix & XMPP require, not much more, but certainly more familiarity. To be more specific, there's options to either encrypt or not encrypt messages to other people instead of everything being encrypted by default on the platform. At least, that's how it appeared to work to me a few years ago

2

engi wrote (edited )

nothing stops you (edit: as in "someone") from writing an xmpp client which insist on omemo and provides a bunch of default servers to register on (or entering one or more existing accounts)

I honestly don't get why signal needs to have any tie with the phone system. it boggles the mind

1

celebratedrecluse OP wrote

For sure, XMPP may be the way to go in the future, but for now Signal has fucked things up a little bit to say the least. nobody is going to install multiple encrypted messengers on their phone just to communicate with everyone else

2